HID iClass SE Reader: a look inside
In this post, we will be taking apart a card reader – notably the HID iClass SE reader (if your physical security guys spent any money):
- Bunch of glue, epoxy and sand
- A PCB board with an antenna
ok… so really what are the details.
How we opened the iClass SE reader and what’s inside specifically
Since we don’t use our reader anymore (we switched to our own Kisi solution) we went into the machine shop and dissected the reader.
Since so many people use the iClass SE reader we thought a little reader hacking might be interesting for everyone.
The original mastermind behind the RFID hacks is Jonathan Westhues, here’s what made him famous in 2006. Considering that these reader manufacturers keep using pretty much the same things since then, your office readers might be the same standard (or even lower):
“In 2006, Westhues was hired by California State Senator Joe Simitian to illustrate the ease with which state lawmakers’ RFID-based ID cards could be read and cloned. He successfully read and cloned the ID card of California State Assembly member Fran Pavley, who remarked, “All that was done within a moment’s notice of time without me even being aware of it.”
Either way- The model we used is an iClass SE R40 from 2011 made in the Philippines – 920NTNTEKE0000. Admittedly this has been done before – check the Proxmark forum for details. But the images there were only focussing on components, not on general design of the iClass SE reader.
How we opened the iClass SE reader
Since the board is epoxied into the reader housing front, we used a regular steel cut saw to cut of the top slightly under the edge of the front:
Back of the iClass SE reader board
When we opened the reader we realized there was a lot of dust and seems like the PCB is mounted on top of some concrete powder. The reason for this could be to amplify the antenna which is mounted on the PCB. The back was black epoxy which however did not go underneath the PCB where the important components are arranged.
Front of the iClass SE reader board
The front of the reader showed a nice NXP chip which is the RFID component: PR600HL/C1, kS012171y, C3P004.00, SW4452.1. I couldn’t really dig it up on DigiKey or other electronics suppliers, most likely already too old. Should it then still be on the wall?
The front was filled with hardened foam and sand, most likely to make it heavier and not feel like a bunch of condensators and resistors (which it unfortunately is by the way).
To me looking at this picture the most interesting thing is the antenna: It goes all the way around the board to maximize the coverage of the antenna and readability of the cards at any point of the reader. It’s also interesting that the antenna is normally a coil of wire, HID decided to maximize the antenna by using 2 flat copper lines which most likely have more impact than round coils.
A great product! Production cost should be around $12. If you’d make a list with low tech in the office, it would most likely be in close competition with the coffee machine or the light sensor.
Interested in understanding more about access control? Take a look at our full review of HID readers and access systems or discover the benefits or remote cloud access control here.